Wolverton: If you're running Android, watch out for malware

SETTING THE RECORD STRAIGHT (publ. 11/7/2013, page A4) Because of incorrect information provided by Google, the name of Adrian Ludwig, an Android security engineer at the company, was misspelled in the Tech Files column.

Do you need to run antivirus software on a smartphone?

If you have a phone running Google's (GOOG) Android operating system, it's a good idea. In the smartphone world, malware is largely an Android problem, say security experts. That's not to say that Apple's (AAPL) iOS and Microsoft's Windows Phone are invulnerable. But Android presents a bigger and, in some ways, easier to crack target, according to the experts.

"The number of Android devices is huge," said Ragib Hasan, an associate professor of computer science at the University of Alabama at Birmingham who studies smartphone malware. "It makes sense for cybercriminals to focus on that platform."

According to a study released by the Department of Homeland Security in July, 79 percent of the identified smartphone malware threats were targeted at devices running Android. Most of the remaining threats -- 19 percent of the total -- were focused on Symbian, an older mobile operating system that never got much traction in the United States.

Meanwhile, Apple's iOS, BlackBerry and Windows Mobile devices each targeted by less than 1 percent of the malware.

Advertisement

Because hundreds of millions of devices today run Google's operating system, "it's very easy to hit a lot of Android users with one kind of malware," said Peter Stelzhammer, co-founder of AV-Comparatives, a nonprofit organization that tests and rates antivirus software.

And the threat is growing. By the end of June, there were some 718,000 malicious or high-risk Android apps, security firm Trend Micro reported in August. While that total is a small fraction of all the malware targeted at Microsoft's Windows PC operating system, it was up 41 percent just from the end of March.

About half of malware threats identified by the Homeland Security report were Trojan horses, or Trojans, which are malicious programs disguised as legitimate ones. The ones targeting Android devices typically use text messaging programs to send text messages to phone numbers that automatically trigger a payment from the user's account. Often those charges can be in the hundreds or even thousands of dollars.

Another set of smartphone threats come in the form of rootkits, which are malicious pieces of software that hide in the background of a device and record keystrokes, locations and passwords. Yet another threat comes from application stores that impersonate Google's Play store to trick users into downloading malicious software.

Android is targeted not just because it's popular, but also because of how it works, security researchers say.

iPhone users generally can't download apps from any place other than Apple's App Store. Similarly, Microsoft only allows Windows Phone users to download software from its Windows Phone store. By contrast, Android allows users to install software from a variety of locations, not just from Google Play. While there are plenty of legitimate Android storefronts around -- Amazon operates one, for example -- some aren't scrupulous about screening out bad applications.

Android users can help protect their devices by not downloading apps from places other than Google's Play app store, security researchers say. Google screens the apps in its store for malicious code, and Android users can now have Google remotely screen apps on their phone that were downloaded elsewhere, said Adrian Ludwing, an Android security engineer at Google.

Thanks to that service and other built-in security features on Android, users don't really need to run other antivirus programs, Ludwing argued, noting that Google itself dissuades employees from running such software on their devices. Google's data indicates that while the number of malicious apps is increasing, the frequency of infections is low and stable, he said.

But other security experts warn that even Google Play isn't 100 percent safe. A Symantec researcher reported last month that the security company had found some 2,500 scam apps in Google's storefront that were posted between the beginning of the year and the end of August.

The apps typically promise to connect users with pornographic websites, but frequently charge users $1,000 or more to sign up. Symantec found that 1,000 of the apps were listed in August alone, although many were deleted quickly.

Whatever the current level of risk may be, it's almost certain to grow. That's because smartphones frequently store or transmit sensitive data such as users' location or financial information.

"Criminals are just discovering the vast amount of information and financial gains they can get from mobile malware," said Hasan.

Given that trend, it's better to be safe than sorry, many security researchers say.

"If you can get antivirus on your phone, it's just safer," said Roger Thompson, chief emerging threats researcher at ICSA Labs, a division of Verizon that tests and rates security products.

Contact Troy Wolverton at 408-840-4285 or twolverton@mercurynews.com.

Follow him at www.mercurynews.com/troy-wolverton or Twitter.com/troywolv.